Share
## https://sploitus.com/exploit?id=336099EB-D841-5918-884E-BDD159524698
# CVE-2026-31431 โ "Copy Fail" Research Repository
[]()
[]()
[](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
[](https://github.com/nisec-eric/cve-2026-31431/releases)
[](LICENSE)
> **A 100% reliable Linux local privilege escalation affecting every mainstream distribution since 2017.**
>
> One logic bug in `authencesn`, chained through `AF_ALG` and `splice()` into a 4-byte page-cache write โ silently exploitable for nearly a decade.
## โ ๏ธ Disclaimer
**All code and documentation in this repository is provided exclusively for authorized security research and educational purposes.**
Running exploit code against systems you do not own or have explicit written authorization to test is illegal. By using this repository, you accept full responsibility for your actions.
---
## Overview
| Field | Detail |
|---|---|
| **CVE** | CVE-2026-31431 |
| **Alias** | Copy Fail |
| **Type** | Linux kernel local privilege escalation (LPE) / page-cache arbitrary write |
| **CVSS v3.1** | 7.8 HIGH โ `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` |
| **CWE** | CWE-669 (Incorrect Resource Transfer Between Spheres) |
| **Component** | `crypto/algif_aead` โ `authencesn` cryptographic template |
| **Introduced** | 2017 (commit `72548b093ee3`) |
| **Fixed** | Mainline commit `a664bf3d603d` (2026-04-01) |
| **Patched kernel** | v6.18.22+, v6.19.12+, v7.0+ |
| **Discoverer** | Xint / Theori (Taeyang Lee + Xint Code AI-assisted audit) |
| **Disclosure** | 2026-04-29 โ [copy.fail](https://copy.fail/) |
### Why Copy Fail is different
| | Typical Linux LPE | Copy Fail |
|---|---|---|
| Race condition | Required | **None** |
| Per-distro offsets | Required | **None** |
| Reliability | 30โ80% | **100%, single shot** |
| Affected window | Narrow | **2017 โ 2026 (9 years)** |
| On-disk modification | Possible | **None (stealthy)** |
| Cross-container | No | **Yes** |
---
## Repository Structure
```
.
โโโ README.md โ You are here
โโโ LICENSE โ MIT
โโโ .gitignore
โโโ docs/
โ โโโ analysis-report.md โ Comprehensive security analysis
โ โโโ analysis-report.html โ Styled HTML version
โ โโโ exploit-walkthrough.md โ Line-by-line PoC analysis
โ โโโ exploit-walkthrough.html โ Styled HTML version
โโโ poc/
โโโ README.md โ PoC usage guide
โโโ copy_fail_exp.py โ Official PoC (732 bytes, obfuscated)
โโโ copy_fail_exp_readable.py โ Deobfuscated + annotated version
โโโ copy_fail_exp_compat.py โ Python 3.6+ compat (ctypes splice)
โโโ copy_fail_exp_alpine.py โ Alpine Linux variant
โโโ copy_fail_exp.go โ Go implementation (zero deps)
โโโ copy_fail_rust/ โ Rust implementation
โ โโโ Cargo.toml
โ โโโ src/main.rs
โโโ check_vulnerable.py โ Vulnerability scanner
โโโ mitigate.sh โ One-click mitigation script
```
---
## Quick Start
### Download pre-built release
```bash
# From GitHub Releases โ pre-built Go binary (Linux amd64/arm64) + all Python scripts
wget https://github.com/nisec-eric/cve-2026-31431/releases/latest/download/copy-fail-go-linux.tar.gz
wget https://github.com/nisec-eric/cve-2026-31431/releases/latest/download/copy-fail-python.tar.gz
tar xzf copy-fail-go-linux.tar.gz
tar xzf copy-fail-python.tar.gz
# Go static binary (no Python needed)
chmod +x copy-fail-exp-amd64
./copy-fail-exp-amd64
# Or use Python scripts directly
python3 check_vulnerable.py
```
> ๐ฆ Releases are auto-built via GitHub Actions on every `v*` tag push.
> Go binaries are cross-compiled for **linux/amd64** and **linux/arm64** with `CGO_ENABLED=0`.
### 1. Check if your system is vulnerable
```bash
python3 poc/check_vulnerable.py
```
### 2. Apply mitigation (no reboot required)
```bash
sudo bash poc/mitigate.sh
```
This blacklists the `algif_aead` kernel module โ breaks nothing for 99% of systems.
### 3. Patch properly โ upgrade your kernel
```bash
# Debian/Ubuntu
sudo apt update && sudo apt upgrade linux-image-*
# RHEL/CentOS/Fedora
sudo dnf update kernel
# Reboot into patched kernel
sudo reboot
```
### 4. Verify
```bash
python3 poc/check_vulnerable.py
# Exit code 1 = protected โ
```
---
## PoC Exploits
> **WARNING: Run only on systems you own or have authorization to test.**
| File | Language | Requirements | Notes |
|---|---|---|---|
| `copy_fail_exp.py` | Python 3.10+ | stdlib only | Official 732-byte PoC |
| `copy_fail_exp_compat.py` | Python 3.6+ | stdlib + ctypes | Works on CentOS 7, AL2 etc. |
| `copy_fail_exp_alpine.py` | Python 3.10+ | stdlib only | Targets `/bin/ping` on Alpine |
| `copy_fail_exp.go` | Go 1.21+ | stdlib only | Static binary, zero deps |
| `copy_fail_rust/` | Rust 1.70+ | libc + flate2 crates | Static binary |
```bash
# Python
python3 poc/copy_fail_exp.py
python3 poc/copy_fail_exp_compat.py # Python < 3.10
# Go
go build -o exp ./poc/copy_fail_exp.go && ./exp
# Rust
cd poc/copy_fail_rust && cargo run --release
```
All versions accept an optional argument to target a different SUID binary:
```bash
python3 poc/copy_fail_exp.py /usr/bin/passwd
./exp /usr/bin/sudo
```
---
## Documentation
### ๐ [Security Analysis Report](docs/analysis-report.md) ([HTML](docs/analysis-report.html))
Full vulnerability assessment covering:
- Technical root cause (scatterlist page provenance, `authencesn` scratch write)
- Affected versions and distribution patch status
- Remediation for bare-metal Linux, Kubernetes, Docker, WSL2
- Detection and monitoring guidance (auditd, SELinux, file integrity)
- Disclosure timeline
### ๐ [Exploit Walkthrough](docs/exploit-walkthrough.md) ([HTML](docs/exploit-walkthrough.html))
Line-by-line PoC analysis covering:
- Complete deobfuscated source with annotations
- Kernel internals: `AF_ALG` socket flow, `splice()` page-cache delivery, `sg_chain()` mechanics
- The `authencesn` ESN scratch write that crosses scatterlist boundaries
- Payload analysis (160-byte ELF shellcode)
- Attack variants: `/etc/passwd` injection, shared library targeting, container escape
- Attack limitations and boundaries
---
## Impact by Environment
| Environment | Risk | Why |
|---|---|---|
| Multi-tenant Linux hosts | ๐ด High | Any user โ root |
| Kubernetes / containers | ๐ด High | Shared page cache โ container escape |
| CI runners (self-hosted) | ๐ด High | Malicious PR โ runner root |
| Cloud SaaS (user code) | ๐ด High | Tenant โ host root |
| Standard servers | ๐ก Medium | Chains with web RCE / stolen creds |
| Single-user laptops | ๐ข Low | Already the only user |
---
## Key References
- [copy.fail](https://copy.fail/) โ Official vulnerability page
- [Xint Blog โ Technical Writeup](https://xint.io/blog/copy-fail-linux-distributions) โ Root cause deep-dive
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
- [GitHub Advisory GHSA-2274-3hgr-wxv6](https://github.com/advisories/GHSA-2274-3hgr-wxv6)
- [Kernel Patch (commit a664bf3d603d)](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603d)
- [Official PoC Repository](https://github.com/theori-io/copy-fail-CVE-2026-31431)
- [Red Hat Advisory](https://access.redhat.com/security/cve/cve-2026-31431) | [Ubuntu](https://ubuntu.com/security/CVE-2026-31431) | [SUSE](https://www.suse.com/security/cve/CVE-2026-31431.html) | [Amazon Linux](https://explore.alas.aws.amazon.com/CVE-2026-31431.html)
---
## Contributing
Contributions welcome:
- Additional PoC implementations (C, Zig, etc.)
- Distribution-specific test results
- Detection rules (Snort, Suricata, YARA, Sigma)
- Translations of documentation
Please open an issue or pull request.
## License
[MIT](LICENSE) โ Use responsibly.